Details
-
Type:
Bug
-
Status: Resolved (View Workflow)
-
Priority:
Blocker
-
Resolution: Not A Defect
-
Component/s: core
-
Similar Issues:
Description
Jenkins 2. setup wizard is failing at the final step after entering the admin username and password details .identified it as CSRF vulnerability as a result network blocked the ( completeInstall and createAdminUser files.As per http://telussecuritylabs.com/threats/show/TSL20170428-01 document I tried to install the latest fixed version(2.57) but still it appears to have the same issue.
Do we have fix for this security vulnerability.
Attachments
Activity
SHIREESHA PINNINTI
created issue -
| Field | Original Value | New Value |
|---|---|---|
| Resolution | Not A Defect [ 7 ] | |
| Status | Open [ 1 ] | Resolved [ 5 ] |
SHIREESHA PINNINTI
made changes -
| Attachment | 10.133.210.167-Packet Captures.zip [ 39054 ] |
SHIREESHA PINNINTI
made changes -
| Attachment | Firewall Log File for 10.133.210.167 Vulnerability Alert.xlsx [ 39055 ] |
forgot to reopen the ticket.Please see my last comments.
SHIREESHA PINNINTI
added a comment - forgot to reopen the ticket.Please see my last comments. SHIREESHA PINNINTI
made changes -
| Resolution | Not A Defect [ 7 ] | |
| Status | Resolved [ 5 ] | Reopened [ 4 ] |
The requests are sent via POST, with Jenkins-Crumb header/form field, and therefore subject to CSRF protection.
Your firewall is terrible, and this is still not a defect.
Get rid of this snake oil bullshit.
| Resolution | Not A Defect [ 7 ] | |
| Status | Reopened [ 4 ] | Resolved [ 5 ] |
Whatever's doing the blocking is doing it wrong. Jenkins 2.57 specifically fixed potential CSRF issues in these URLs.